An Obscure App Flaw Creates Backdoors In Millions of Smartphones

An Obscure App Flaw Creates Backdoors In Millions of Smartphones

For hackers, scanning for an open “port”—a responsive, potentially vulnerable internet connection on a would-be victim’s machine—has long been one of the most basic ways to gain a foothold in a target company or agency. As it turns out, thanks to a few popular but rarely studied apps, plenty of smartphones have open ports, too. And those little-considered connections can just as easily give hackers access to tens of millions of Android devices.

A group of researchers from the University of Michigan identified hundreds of applications in Google Play that perform an unexpected trick: By essentially turning a phone into a server, they allow the owner to connect to that phone directly from their PC, just as they would to a web site or another internet service. But dozens of these apps leave open insecure ports on those smartphones. That could allow attackers to steal data, including contacts or photos, or even to install malware.

“Android has inherited this open port functionality from traditional computers, and many applications use open ports in a way that poses vulnerabilities,” says Yunhan Jia, one of the Michigan researchers who reported their findings at the IEEE European Symposium on Security and Privacy. “If one of these vulnerable open port apps is installed, your phone can be fully taken control of by attackers.”

Port of Call

To determine the full scope of the port problem, the Michigan researchers built a software tool they call OPAnalyzer (for Open Port Analyzer) that they used to scan the code of around 100,000 popular apps in the Google Play app store.

They found that 1,632 applications created open ports on smartphones, mostly intended to allow users to connect to them from PCs to send text messages, transfer files, or use the phone as a proxy to connect to the rest of the internet. Of those, they identified 410 as potentially having no protection or only weak protection—such as a hardcoded password that can be derived from the code and used by any hacker—meant to control who can access those open ports. And of that subset, they manually analyzed 57 that they confirmed left ports open and exploitable by any hacker on the same local Wi-Fi network, another app on the same device (even one with restricted privileges), or more disturbing, a script that runs in the victim’s browser when they merely visit a website.

And that may just be a partial list of exploits, says Zhiyun Qian, a computer scientist at the University of California at Riverside who has followed the Michigan researchers’ work. When a phone’s IP address is publicly visible on the internet—a situation that depends on whether the phone is connected to Wi-Fi and the user’s carrier—the attacker can simply scan for open ports from anywhere, and start attacking that vulnerable phone. In those cases, “this is completely, remotely exploitable,” says Qian. “It’s definitely serious.”

Of the 57 apps they identified as the most vulnerable to the open port attacks, two struck the researchers as particularly dangerous. One app with more than 10 million downloads called Wifi File Transfer allows users to connect to an open port on their phone via Wi-Fi, and access files like photos, application data, and anything stored on the phone’s SD card. But Jia says that due to the app’s lack of any authentication like a password, an intruder who connects to that open port can also get full access to the same sensitive files. “That’s intended functionality for the user, but because of that poor authentication it allows anyone to do it,” Jia says.

The researchers also point to AirDroid, a similarly popular app with an eight-digit number of downloads, designed to allow users full control of their Android phone from their PC. Researchers found that AirDroid had an authentication flaw that also lets malicious intruders access ports. But in AirDroid’s case, that flaw only allowed for the hijacking of existing connections. To perform the attack, malware on the phone would likely have had to intercept the user’s attempt to establish that legitimate connection. And when the Michigan researchers say that AirDroid’s developers patched the problem quickly after being notified.

The developers behind Wifi File Transfer, by contrast, haven’t fixed their app’s security problem even after the researchers contacted them, Michigan’s Jia says. WIRED reached out several times to Smarter Droid, the company that makes the app, but didn’t get a response.

‘The User Can Do Nothing’

In the videos below, the researchers demonstrate attacks on two other apps, PhonePal and Virtual USB, both of which Jia says remain vulnerable. Neither has nearly as many downloads as Wifi File Transfer, however—Virtual USB has less than 50,000, and PhonePal has only a few hundred. Neither company responded to WIRED’s request for comment.

Aside from those four apps, the researchers’ full paper details analyses of half a dozen others—several of which are mostly popular in the Chinese market—that are also vulnerable to varying degrees to open port attacks. More than half the 1,632 apps that create open ports on phones have more than 500,000 downloads, the researchers found.

To test just how widespread the most vulnerable apps might be, they at one point even scanned their local university network and immediately found devices with open, potentially hackable ports. “That so many developers have made this mistake is already an alarming sign,” says UC Riverside’s Qian. “There will be other apps they haven’t looked at, or that other people build in the future that will have the same problem.”

The notion that smartphone apps can open ports and leave them vulnerable has come to light before: In late 2015, the Chinese company Baidu revealed that a software development kit it had developed left open ports on devices where it was installed. Other major Chinese businesses, including Tencent and Qihoo, had already adopted the code, affecting more than 100 million users in total. After Baidu’s admission of the vulnerability the vulnerable apps all released security fixes.

Clearly, though, the problem of open ports in mobile devices persists. And the Michigan researchers suggest that fixing it will require developers to think twice before they open a gaping entry point in your device for remote hackers. “The user can do nothing. Google can do nothing,” says Jia. “The developer has to learn to use open ports correctly.”

Of course, there actually is one thing you can do: Uninstall the vulnerable apps like Wifi File Transfer that the researchers name. You may lose the convenience of moving files to and from your mobile device at will. But you’ll lock out the unwelcome guests who’d use that convenient backdoor, too.